/
azure_ad_unusual_number_of_failed_authentications_from_ip.yml
86 lines (84 loc) · 3.7 KB
/
azure_ad_unusual_number_of_failed_authentications_from_ip.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
name: Azure AD Unusual Number of Failed Authentications From Ip
id: 3d8d3a36-93b8-42d7-8d91-c5f24cec223d
version: 2
date: '2022-07-11'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
description: 'The following analytic identifies one source Ip failing to authenticate
with multiple valid users. This behavior could represent an adversary performing
a Password Spraying attack against an Azure Active Directory tenant to obtain initial
access or elevate privileges. Error Code 50126 represents an invalid password.
The detection calculates the standard deviation for source Ip and leverages the
3-sigma statistical rule to identify an unusual number of failed authentication
attempts. To customize this analytic, users can try different combinations of the
`bucket` span time and the calculation of the `upperBound` field. This logic can
be used for real time security monitoring as well as threat hunting exercises.
While looking for anomalies using statistical methods like the standard deviation
can have benefits, we also recommend using threshold-based detections to complement
coverage. A similar analytic following the threshold model is `Azure AD Multiple
Users Failing To Authenticate From Ip`.'
data_source:
- Azure Active Directory
search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false
| rename properties.* as *
| bucket span=5m _time
| stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress
| eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress
| eval upperBound=(ip_avg+ip_std*3)
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0)
| where isOutlier = 1
| `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`'
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.
known_false_positives: A source Ip failing to authenticate with multiple users is
not a common for legitimate behavior.
references:
- https://attack.mitre.org/techniques/T1110/003/
- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
- https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
- https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
tags:
analytic_story:
- Azure Active Directory Account Takeover
asset_type: Azure Active Directory
confidence: 90
impact: 60
message: Possible Password Spraying attack against Azure AD from source ip $ipAddress$
mitre_attack_id:
- T1586
- T1586.003
- T1110
- T1110.003
- T1110.004
observable:
- name: userPrincipalName
type: User
role:
- Victim
- name: ipAddress
type: IP Address
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- properties.status.errorCode
- category
- properties.authenticationDetails
- properties.userPrincipalName
- properties.ipAddress
risk_score: 54
security_domain: access
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log
source: Azure AD
sourcetype: azure:monitor:aad
update_timestamp: true